Channels

Services

Critical security vulnerability at Amazon fixed

A cross-site scripting vulnerability allowed access to session cookies.
Online merchant Amazon has fixed a critical security vulnerability on its web site that allowed access to user accounts. Amazon fixed the problem immediately after The H's associates at heise Security informed the company. The issue seems to have affected all of Amazon's web sites for individual countries around the world.

The vulnerability could have been used to inject JavaScript code on the retailer's server that would be executed in another customer's browser when they opened the prepared page. This cross-site scripting (persistent XSS) allowed attacks on session cookies, which heise Security were able to use to access full names, email addresses and shopping carts in the course of their experiment. The vulnerability could also have been used to collect login data (phishing) or spread malware.

The exploit was trivial. All that was required was to make a post in the customer forum with a specially formatted title along the lines of "><script>alert('XSS')<script>. Since Amazon didn't sufficiently check the post title, the JavaScript code in the title was then embedded in some of the forum's subpages and executed by browsers when those pages were opened.

The pages with the injected code could be directly linked to, allowing malicious users to send the links by email, and could also be accessed directly from the forum. Amazon certainly could have quickly deleted the prepared forum posts with unusual titles, but that didn't happen. One public post that was part of the test stayed up for weeks without being discovered.

Michael E. discovered the vulnerability and informed heise Security, who passed on the details to Amazon yesterday afternoon. This morning, a spokesperson for the company called to say that the problem had been fixed.